In the world of finance, accounting, control, IT, and process organization, we always meet the principle of least privilege: in order to reduce the risk of abuse and error, employees must be restricted to the activities that are absolutely essential for their tasks. This principle was known and adhered well before the birth of information technology: it was limited who had the keys to rooms, safes, and what documents they were allowed to get insight. This has always been decided and controlled by the owner of the given business or activity since this control process is in the interest of the ownership and the business itself.
When the principles and first known standards of information security were established, this principle was already included in them – rightly so. Even now, it still appears in the latest IT security standards. But is this really the responsibility of IT security? What about the other areas that had this requirement before?
The answer is that this principle has remained a requirement in all these other areas of an organization, and they still have certain responsibilities in the topic. It remains up to the owner of the business or activity to decide who gets entitlements. However, in complex IT systems, IT and information security play major roles in enforcing the principle of least privilege. IT operation has been given executive (and occasionally decisional) rights, while information security has general oversight and judgment over the whole activity. However, this increased the number of those who are responsible and involved in the rights management process. In fact, a situation has arisen in which practical responsibility has become debatable. Based on its current temporary interests, each department decides whether to take responsibility or not.
As a result, this issue is shared across multiple domains within an organization: responsibilities and activities are shared. Therefore, proper management can easily become a never-ending task, endangered by a series of internal conflicts.
It’s no wonder that I have never heard a company say that “We are handling this problem perfectly. Everyone has access to the exact amount of information and functionality that they really need …”!
In case you are interested in this blog series, you can subscribe here to get notification about new parts.